Hey! <<all logs at the end>> We're currently running FreeRADIUS version 3.2.6 on an Azure VM (running debian 11.11), handling EAP-TLS authentication for our network. The setup includes Cisco Meraki access points onsite and we're distributing SCEP certificates and WiFi profiles through Intune. The setup seems a bit weird but we only have an Azure AD so we can't use an on-premise NPS classic server (and cloud PKI/Radius are too expensive for our company). The problem is with Windows clients taking a long time (about 45 seconds) during the "Checking Network Requirements" phase of authentication. Android devices reconnect almost instantly without even appearing in the logs, and macOS seems relatively fast, but Windows remains significantly slower. We’ve already disabled OCSP revocation checks, so it seems not to be the issue here. The cache module is enabled, but does not seems to be used. Latency to the Azure-hosted FreeRADIUS server seems reasonable based on traceroutes, and authentication works; it's just the speed on Windows that’s problematic. Has anyone else faced similar performance issues with Windows clients? Could the cloud-hosted FreeRADIUS server be the bottleneck here? I would greatly appreciate any insight on optimizing FreeRADIUS or tuning Windows. Thanks for any help! **Wifi Configuration settings** ``` - Wi-Fi type: Enterprise - Connect automatically when in range: Yes - Connect to more preferred network if available: Yes - Connect to this network, even when it is not broadcasting its SSID: Yes - Metered Connection Limit: Unrestricted - Authentication Mode: Machine - Remember credentials at each logon: Not configured - Authentication period: Not configured - Authentication retry delay period: Not configured - Start period: Not configured - Maximum EAPOL-start: 3 - Maximum authentication failures: 5 - Single sign-on (SSO): Disable Fast roaming settings: - Enable pairwise master key (PMK) caching: Yes - Maximum time a PMK is stored in cache: 720 - Maximum number of PMK's stored in cache: 10 :Extensible Authentication Protocol (EAP): - EAP type: EAP-TLS - Server Trust - Certificate server names: redacted - Root certificates for server validation: Win-CA-Root - Client Authentication - Authentication method: SCEP certificate - Client certificate for client authentication (Identity certificate): Win-CA-SCEP - Company proxy settings: None - Force Wi-Fi profile to be compliant with the Federal Information Processing Standard (FIPS): No ``` **Configuration Logs** ``` FreeRADIUS Version 3.2.6 Copyright (C) 1999-2023 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/cache including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/date including configuration file /etc/freeradius/mods-enabled/totp including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/debug including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/rfc7542 including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/abfab-tr including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/dhcp including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 proxy_dedup_window = 1 cleanup_delay = 5 max_requests = 16384 max_fds = 512 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes require_message_authenticator = "auto" limit_proxy_state = "auto" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { nonblock = no ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client AP-Meraki { ipaddr = <<< secret >>> secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = eap # Creating Auth-Type = digest # Creating Autz-Type = New-TLS-Connection radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüà âæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎà ÔŒÙÛÜŸ" } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/mods-enabled/digest # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8 # Loaded module rlm_cache # Loading module "cache" from file /etc/freeradius/mods-enabled/cache cache { driver = "rlm_cache_rbtree" key = "%{User-Name}" ttl = 43200 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 16384 dedup_key = "" } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loading module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no dates_as_integer = no escape_filenames = no log_packet_header = no } # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loading module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_date # Loading module "date" from file /etc/freeradius/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_totp # Loading module "totp" from file /etc/freeradius/mods-enabled/totp totp { time_step = 30 otp_length = 6 lookback_steps = 1 lookback_interval = 30 lookforward_steps = 0 } instantiate { } # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Instantiating module "files" from file /etc/freeradius/mods-enabled/files reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy # Instantiating module "cache" from file /etc/freeradius/mods-enabled/cache rlm_cache (cache): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/ssl/private/server.key" certificate_file = "/etc/ssl/certs/server.crt" ca_file = "/etc/ssl/certs/secret-CA.cer" private_key_password = <<< secret >>> fragment_size = 2048 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "" tls_max_version = "1.3" tls_min_version = "1.2" cache { enable = yes lifetime = 12 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/coa # Instantiating module "totp" from file /etc/freeradius/mods-enabled/totp } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:366 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel server default { # from file /etc/freeradius/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} Compiling Autz-Type New-TLS-Connection for attr Autz-Type # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type Compiling Post-Auth-Type Challenge for attr Post-Auth-Type Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on proxy address * port 38048 Listening on proxy address :: port 32969 Ready to process requests ``` **Windows Auth Logs** ``` Ready to process requests (5) Received Access-Request Id 81 from secret:39522 to 10.0.0.4:1812 length 392 (5) User-Name = "host/1YHMMX3" (5) NAS-IP-Address = secret (5) NAS-Identifier = "E4-55-A8-06-9E-02:vap0" (5) NAS-Port-Type = Wireless-802.11 (5) Service-Type = Framed-User (5) NAS-Port = 2 (5) Calling-Station-Id = "D4-E9-8A-64-66-AD" (5) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 48 / Channel: 36" (5) Acct-Session-Id = "9F136B00DBCD73D5" (5) Acct-Multi-Session-Id = "D60E76FE14B8AD67" (5) WLAN-Pairwise-Cipher = 1027076 (5) WLAN-Group-Cipher = 1027076 (5) WLAN-AKM-Suite = 1027073 (5) Meraki-Network-Name = "secret" (5) Meraki-Ap-Name = "secret" (5) Meraki-Ap-Tags = " secret SUPPORT " (5) Called-Station-Id = "E4-55-A8-06-9E-02:secret" (5) Meraki-Device-Name = "secret" (5) Framed-MTU = 1400 (5) EAP-Message = 0x0242001101686f73742f3159484d4d5833 (5) Message-Authenticator = 0xf7614831e49cfa50761795b1572e7ec1 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 66 length 17 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_tls to process data (5) eap_tls: (TLS) TLS -Initiating new session (5) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client (5) eap: Sending EAP Request (code 1) ID 67 length 10 (5) eap: EAP session adding &reply:State = 0xf15076f3f1137bed (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) session-state: Saving cached attributes (5) Framed-MTU = 1400 (5) Sent Access-Challenge Id 81 from 10.0.0.4:1812 to secret:39522 length 68 (5) EAP-Message = 0x0143000a0da000000000 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0xf15076f3f1137bed70d174e475b9e983 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 82 from secret:39522 to 10.0.0.4:1812 length 656 (6) User-Name = "host/1YHMMX3" (6) NAS-IP-Address = secret (6) NAS-Identifier = "E4-55-A8-06-9E-02:vap0" (6) NAS-Port-Type = Wireless-802.11 (6) Service-Type = Framed-User (6) NAS-Port = 2 (6) Calling-Station-Id = "D4-E9-8A-64-66-AD" (6) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 49 / Channel: 36" (6) Acct-Session-Id = "9F136B00DBCD73D5" (6) Acct-Multi-Session-Id = "D60E76FE14B8AD67" (6) WLAN-Pairwise-Cipher = 1027076 (6) WLAN-Group-Cipher = 1027076 (6) WLAN-AKM-Suite = 1027073 (6) Meraki-Network-Name = "secret" (6) Meraki-Ap-Name = "secret" (6) Meraki-Ap-Tags = " secret SUPPORT " (6) Called-Station-Id = "E4-55-A8-06-9E-02:secret" (6) Meraki-Device-Name = "secret" (6) Framed-MTU = 1400 (6) EAP-Message = 0x024301050d80000000fb16030100f6010000f203035a191083e476b1739aae3986f005d3d100b82dad8f65abef0a6bcb0af0e4bc1120c23488d01f0d27c472fec4fa4be1d80de4b7ac6882824e70362e5c6a89d21414002813021301c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303020301000d001a001808040805080604010501020104030503020302020601060300230000000a00080006001d00170018003300260024001d00207d543550d7a282b89cfe863f1d9a577170fc2d5babcf96903ee3286c6b6c65130031000000170000ff01000100002d00020101 (6) State = 0xf15076f3f1137bed70d174e475b9e983 (6) Message-Authenticator = 0x7c64759901e6cda66eb6317232530306 (6) Restoring &session-state (6) &session-state:Framed-MTU = 1400 (6) # Executing section authorize from file /etc/freeradius/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 67 length 261 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Removing EAP session with state 0xf15076f3f1137bed (6) eap: Previous EAP request found for state 0xf15076f3f1137bed, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: (TLS) EAP Peer says that the final record size will be 251 bytes (6) eap_tls: (TLS) EAP Got all data (251 bytes) (6) eap_tls: (TLS) TLS - Handshake state - before SSL initialization (6) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (6) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (6) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello (6) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, ServerHello (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server hello (6) eap_tls: (TLS) TLS - send TLS 1.3 ChangeCipherSpec (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions (6) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 write encrypted extensions (6) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, CertificateRequest (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate request (6) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, Certificate (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate (6) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, CertificateVerify (6) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 write server certificate verify (6) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, Finished (6) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished (6) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 early data (6) eap_tls: (TLS) TLS - Server : Need to read more data: TLSv1.3 early data (6) eap_tls: (TLS) TLS - In Handshake Phase (6) eap: Sending EAP Request (code 1) ID 68 length 1406 (6) eap: EAP session adding &reply:State = 0xf15076f3f0147bed (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) session-state: Saving cached attributes (6) Framed-MTU = 1400 (6) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (6) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (6) Sent Access-Challenge Id 82 from 10.0.0.4:1812 to secret:39522 length 1474 (6) EAP-Message = 0x0144057e0dc000000bfe160303007a0200007603031b7eb945a3ac6adbf78184518f2a6050f6a7fcbafed15b74125225a652791a3820c23488d01f0d27c472fec4fa4be1d80de4b7ac6882824e70362e5c6a89d21414130200002e002b0002030400330024001d00207d99764f2a0b2be679541fffd944505f069502a8ba26d1115c844152f9c2662f1403030001011703030017d201883ed2c63db7c76c250fbaa5315c27b4737f677ab617030300896a9b2699972f747a1627a768918a1d91674ee28dca346da32e9d7a358d2361e3d6d456776e7d641d928b1156e10b216f3bc5fe364a08ef0d3d2ba55e54f197c849678b6b18aa7b782b3342c7b46ea4ca0b8217a0b47030fa8b08cae23063922eca585c8ea52638d64bdc85f8f802b08f4601f93de6636f1903f022ad01837222bfced30e08921c771e17030309624379a78d51d08fc55048f64daad24360b157f4ecd84e397215ae2152c386072ba010c96be7a9774ae89b42bbc1743b0a88fe809c2be102b56c (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xf15076f3f0147bed70d174e475b9e983 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 83 from secret:39522 to 10.0.0.4:1812 length 399 (7) User-Name = "host/1YHMMX3" (7) NAS-IP-Address = secret (7) NAS-Identifier = "E4-55-A8-06-9E-02:vap0" (7) NAS-Port-Type = Wireless-802.11 (7) Service-Type = Framed-User (7) NAS-Port = 2 (7) Calling-Station-Id = "D4-E9-8A-64-66-AD" (7) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 49 / Channel: 36" (7) Acct-Session-Id = "9F136B00DBCD73D5" (7) Acct-Multi-Session-Id = "D60E76FE14B8AD67" (7) WLAN-Pairwise-Cipher = 1027076 (7) WLAN-Group-Cipher = 1027076 (7) WLAN-AKM-Suite = 1027073 (7) Meraki-Network-Name = "secret" (7) Meraki-Ap-Name = "secret" (7) Meraki-Ap-Tags = " secret SUPPORT " (7) Called-Station-Id = "E4-55-A8-06-9E-02:secret" (7) Meraki-Device-Name = "secret" (7) Framed-MTU = 1400 (7) EAP-Message = 0x024400060d00 (7) State = 0xf15076f3f0147bed70d174e475b9e983 (7) Message-Authenticator = 0x9c31594e9379170b04727aa6fdd10316 (7) Restoring &session-state (7) &session-state:Framed-MTU = 1400 (7) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (7) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 68 length 6 (7) eap: No EAP Start, assuming it's an on-going EAP conversation (7) [eap] = updated (7) [files] = noop (7) [expiration] = noop (7) [logintime] = noop (7) } # authorize = updated (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) authenticate { (7) eap: Removing EAP session with state 0xf15076f3f0147bed (7) eap: Previous EAP request found for state 0xf15076f3f0147bed, released from the list (7) eap: Peer sent packet with method EAP TLS (13) (7) eap: Calling submodule eap_tls to process data (7) eap_tls: (TLS) Peer ACKed our handshake fragment (7) eap: Sending EAP Request (code 1) ID 69 length 1406 (7) eap: EAP session adding &reply:State = 0xf15076f3f3157bed (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) session-state: Saving cached attributes (7) Framed-MTU = 1400 (7) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (7) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (7) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (7) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (7) Sent Access-Challenge Id 83 from 10.0.0.4:1812 to secret:39522 length 1474 (7) EAP-Message = 0x0145057e0dc000000bfe624d265fd6daf4804016be50e30c18a3954c7c3028ce727b05fa7612bed8a846fe21e1e8a9f9d4e7ce9b5f0d8d33738dee6d6cca3b04213970a130287aa99b3a8afe8396671415011ac33bffc4bcae67750113e5248d4cf864d9d81470d63628ae3c191e400b8724e7f598f9b8b810143d5f9657808f2bd7e15b4dbb4430957732497df6f0561a0a706a10902454532bf9ec8e0aaea848d43bbce1f672d88b4b43027af49ea005d83dcce1a5478e91fccdd6ee3bac7faceeb64a9577785467a925bc7d6759635c9490785984c3b13822d9287414c6257dda69d17594bf8b8a1b7a0d12a8df7f6449b038f94e3d86737308ec2d8ce9ae015e51fec516cb22cd168d6b1c39a23b7419537c740d27711f166f245d90a16ff472fc293b870de5da901a97a4d7cbb666f4f460afbb8aff05de29c065c420cfd4c7a1364f8cf8130543f93a324060d05dc12edb110817ae3a5d457d2d75afbd641b4d97417f2158b997ecd766c516cc98a71f44b496fd (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0xf15076f3f3157bed70d174e475b9e983 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 84 from secret:39522 to 10.0.0.4:1812 length 399 (8) User-Name = "host/1YHMMX3" (8) NAS-IP-Address = secret (8) NAS-Identifier = "E4-55-A8-06-9E-02:vap0" (8) NAS-Port-Type = Wireless-802.11 (8) Service-Type = Framed-User (8) NAS-Port = 2 (8) Calling-Station-Id = "D4-E9-8A-64-66-AD" (8) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 48 / Channel: 36" (8) Acct-Session-Id = "9F136B00DBCD73D5" (8) Acct-Multi-Session-Id = "D60E76FE14B8AD67" (8) WLAN-Pairwise-Cipher = 1027076 (8) WLAN-Group-Cipher = 1027076 (8) WLAN-AKM-Suite = 1027073 (8) Meraki-Network-Name = "secret" (8) Meraki-Ap-Name = "secret" (8) Meraki-Ap-Tags = " secret SUPPORT " (8) Called-Station-Id = "E4-55-A8-06-9E-02:secret" (8) Meraki-Device-Name = "secret" (8) Framed-MTU = 1400 (8) EAP-Message = 0x024500060d00 (8) State = 0xf15076f3f3157bed70d174e475b9e983 (8) Message-Authenticator = 0x70c95f4ea819fc276c6a8401b00e981f (8) Restoring &session-state (8) &session-state:Framed-MTU = 1400 (8) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (8) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (8) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (8) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 69 length 6 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) [files] = noop (8) [expiration] = noop (8) [logintime] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) authenticate { (8) eap: Removing EAP session with state 0xf15076f3f3157bed (8) eap: Previous EAP request found for state 0xf15076f3f3157bed, released from the list (8) eap: Peer sent packet with method EAP TLS (13) (8) eap: Calling submodule eap_tls to process data (8) eap_tls: (TLS) Peer ACKed our handshake fragment (8) eap: Sending EAP Request (code 1) ID 70 length 288 (8) eap: EAP session adding &reply:State = 0xf15076f3f2167bed (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) session-state: Saving cached attributes (8) Framed-MTU = 1400 (8) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (8) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (8) Sent Access-Challenge Id 84 from 10.0.0.4:1812 to secret:39522 length 348 (8) EAP-Message = 0x014601200d8000000bfec7515fd5c0b86a5c5f3333589c951e3dd8efabc746b5b719be279a1afc014072d1621901ff9dda5ee2b485b86754eadee3df2a3d984a7e5c798b7499d10b5d19127a7b65f0e26d7dc95c7ea1859b977ee69ac0b4218a3a874414aa75b641f714c53ffd7bf22a4b6a97de0219ce57109ed61ce0716e76d97bf21c7c788abeda5d9da2ebc8d0997f62c75ca24bbd94d46eff794051852a98466da5ccff887ac37a9c1c5454e7b1b62733b261d267daa8ed8efae8842033f7ed2e0a9d2f787441bd4315c4637195d87e515dd5741703030045da2dacbf19c1fbc15e9928fbe919b47a938d0ed8679fa6989d7a31d5c03ac5ec204e12cdf47d21ff9f0852b270eaf5ed84c1c7f5f7f0fdd184e11a667aa1d6583a5282933b (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xf15076f3f2167bed70d174e475b9e983 (8) Finished request Waking up in 4.8 seconds. (5) Cleaning up request packet ID 81 with timestamp +199 due to cleanup_delay was reached (6) Cleaning up request packet ID 82 with timestamp +199 due to cleanup_delay was reached (7) Cleaning up request packet ID 83 with timestamp +199 due to cleanup_delay was reached (8) Cleaning up request packet ID 84 with timestamp +199 due to cleanup_delay was reached Ready to process requests (9) Received Access-Request Id 94 from secret:33786 to 10.0.0.4:1812 length 385 (9) User-Name = "host/1YHMMX3" (9) NAS-IP-Address = secret (9) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (9) NAS-Port-Type = Wireless-802.11 (9) Service-Type = Framed-User (9) NAS-Port = 1 (9) Calling-Station-Id = "D4-E9-8A-64-66-AD" (9) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 22 / Channel: 100" (9) Acct-Session-Id = "1A69A45514A77457" (9) Acct-Multi-Session-Id = "61CCB23C843CED83" (9) WLAN-Pairwise-Cipher = 1027076 (9) WLAN-Group-Cipher = 1027076 (9) WLAN-AKM-Suite = 1027073 (9) Meraki-Network-Name = "secret" (9) Meraki-Ap-Name = "secret" (9) Meraki-Ap-Tags = " secret " (9) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (9) Meraki-Device-Name = "secret" (9) Framed-MTU = 1400 (9) EAP-Message = 0x021c001101686f73742f3159484d4d5833 (9) Message-Authenticator = 0xdc880e599cad11ed979a513f8986f1c2 (9) # Executing section authorize from file /etc/freeradius/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 28 length 17 (9) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) authenticate { (9) eap: Peer sent packet with method EAP Identity (1) (9) eap: Calling submodule eap_tls to process data (9) eap_tls: (TLS) TLS -Initiating new session (9) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client (9) eap: Sending EAP Request (code 1) ID 29 length 10 (9) eap: EAP session adding &reply:State = 0x4373e489436ee94b (9) [eap] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) # Executing group from file /etc/freeradius/sites-enabled/default (9) Challenge { ... } # empty sub-section is ignored (9) session-state: Saving cached attributes (9) Framed-MTU = 1400 (9) Sent Access-Challenge Id 94 from 10.0.0.4:1812 to secret:33786 length 68 (9) EAP-Message = 0x011d000a0da000000000 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x4373e489436ee94be2b5e695e75f3b35 (9) Finished request Waking up in 4.9 seconds. (10) Received Access-Request Id 95 from secret:33786 to 10.0.0.4:1812 length 649 (10) User-Name = "host/1YHMMX3" (10) NAS-IP-Address = secret (10) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (10) NAS-Port-Type = Wireless-802.11 (10) Service-Type = Framed-User (10) NAS-Port = 1 (10) Calling-Station-Id = "D4-E9-8A-64-66-AD" (10) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 23 / Channel: 100" (10) Acct-Session-Id = "1A69A45514A77457" (10) Acct-Multi-Session-Id = "61CCB23C843CED83" (10) WLAN-Pairwise-Cipher = 1027076 (10) WLAN-Group-Cipher = 1027076 (10) WLAN-AKM-Suite = 1027073 (10) Meraki-Network-Name = "secret" (10) Meraki-Ap-Name = "secret" (10) Meraki-Ap-Tags = " secret " (10) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (10) Meraki-Device-Name = "secret" (10) Framed-MTU = 1400 (10) EAP-Message = 0x021d01050d80000000fb16030100f6010000f20303fbf08663c66c27abe018cd6b0e89d6281ca76651246539826596a3ccd4b95f85203136bd0212dac0d8069c888390f59bb8dba0145d5b101aead3efe2f136a9129f002813021301c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303020301000d001a001808040805080604010501020104030503020302020601060300230000000a00080006001d00170018003300260024001d00205fa41235d98d34a55e8af3aab734e87ece9c2d26fdba4ac2bf08ae069328e3520031000000170000ff01000100002d00020101 (10) State = 0x4373e489436ee94be2b5e695e75f3b35 (10) Message-Authenticator = 0xc209cdd2dbd227feeb2c70401b601563 (10) Restoring &session-state (10) &session-state:Framed-MTU = 1400 (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { (10) policy filter_username { (10) if (&User-Name) { (10) if (&User-Name) -> TRUE (10) if (&User-Name) { (10) if (&User-Name =~ / /) { (10) if (&User-Name =~ / /) -> FALSE (10) if (&User-Name =~ /@[^@]*@/ ) { (10) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (10) if (&User-Name =~ /\.\./ ) { (10) if (&User-Name =~ /\.\./ ) -> FALSE (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (10) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (10) if (&User-Name =~ /\.$/) { (10) if (&User-Name =~ /\.$/) -> FALSE (10) if (&User-Name =~ /@\./) { (10) if (&User-Name =~ /@\./) -> FALSE (10) } # if (&User-Name) = notfound (10) } # policy filter_username = notfound (10) [preprocess] = ok (10) [digest] = noop (10) suffix: Checking for suffix after "@" (10) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (10) suffix: No such realm "NULL" (10) [suffix] = noop (10) eap: Peer sent EAP Response (code 2) ID 29 length 261 (10) eap: No EAP Start, assuming it's an on-going EAP conversation (10) [eap] = updated (10) [files] = noop (10) [expiration] = noop (10) [logintime] = noop (10) } # authorize = updated (10) Found Auth-Type = eap (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) authenticate { (10) eap: Removing EAP session with state 0x4373e489436ee94b (10) eap: Previous EAP request found for state 0x4373e489436ee94b, released from the list (10) eap: Peer sent packet with method EAP TLS (13) (10) eap: Calling submodule eap_tls to process data (10) eap_tls: (TLS) EAP Peer says that the final record size will be 251 bytes (10) eap_tls: (TLS) EAP Got all data (251 bytes) (10) eap_tls: (TLS) TLS - Handshake state - before SSL initialization (10) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (10) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (10) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (10) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello (10) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, ServerHello (10) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server hello (10) eap_tls: (TLS) TLS - send TLS 1.3 ChangeCipherSpec (10) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change cipher spec (10) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions (10) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 write encrypted extensions (10) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, CertificateRequest (10) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate request (10) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, Certificate (10) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate (10) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, CertificateVerify (10) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 write server certificate verify (10) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, Finished (10) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished (10) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 early data (10) eap_tls: (TLS) TLS - Server : Need to read more data: TLSv1.3 early data (10) eap_tls: (TLS) TLS - In Handshake Phase (10) eap: Sending EAP Request (code 1) ID 30 length 1406 (10) eap: EAP session adding &reply:State = 0x4373e489426de94b (10) [eap] = handled (10) } # authenticate = handled (10) Using Post-Auth-Type Challenge (10) # Executing group from file /etc/freeradius/sites-enabled/default (10) Challenge { ... } # empty sub-section is ignored (10) session-state: Saving cached attributes (10) Framed-MTU = 1400 (10) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (10) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (10) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (10) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (10) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (10) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (10) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (10) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (10) Sent Access-Challenge Id 95 from 10.0.0.4:1812 to secret:33786 length 1474 (10) EAP-Message = 0x011e057e0dc000000bfe160303007a020000760303cafe0e839917d70390bd2483bfbd7f1d61f26f54928f706187549b77f501af91203136bd0212dac0d8069c888390f59bb8dba0145d5b101aead3efe2f136a9129f130200002e002b0002030400330024001d00203469e8e93a785816a6459541aea080345cb8a967e84487bb244aabe9276cea251403030001011703030017067e58589e3095ebe22be5bf097b5efe2351c6a6f1cdbc1703030089582efe2ffcf3f00af21ea0f832dbce9e330a693b346d9abd1727f7a0727e4fa07e31f9aa59c22e9e0a3683404805725631e16354d84e4b28457357ea62a6a226c4e59acb83154cf73a7aa3344ad21689c6a78ee7e2bb0b9dca38c955d13e7ebeb0eb9d1bee219f8bdc3931ffcad4ffcd85639b3cd33ea829d8ef62fe719829a3c76ea6529523fb4b751703030962f37fd093bd188eaae10af8baeb5376f9d4b357032fc97c8e886718662c1d8a4f279f64c33dd28e0bb0519a31166cfe0783754e776204a41842 (10) Message-Authenticator = 0x00000000000000000000000000000000 (10) State = 0x4373e489426de94be2b5e695e75f3b35 (10) Finished request Waking up in 4.9 seconds. (11) Received Access-Request Id 96 from secret:33786 to 10.0.0.4:1812 length 392 (11) User-Name = "host/1YHMMX3" (11) NAS-IP-Address = secret (11) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (11) NAS-Port-Type = Wireless-802.11 (11) Service-Type = Framed-User (11) NAS-Port = 1 (11) Calling-Station-Id = "D4-E9-8A-64-66-AD" (11) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel: 100" (11) Acct-Session-Id = "1A69A45514A77457" (11) Acct-Multi-Session-Id = "61CCB23C843CED83" (11) WLAN-Pairwise-Cipher = 1027076 (11) WLAN-Group-Cipher = 1027076 (11) WLAN-AKM-Suite = 1027073 (11) Meraki-Network-Name = "secret" (11) Meraki-Ap-Name = "secret" (11) Meraki-Ap-Tags = " secret " (11) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (11) Meraki-Device-Name = "secret" (11) Framed-MTU = 1400 (11) EAP-Message = 0x021e00060d00 (11) State = 0x4373e489426de94be2b5e695e75f3b35 (11) Message-Authenticator = 0x3761ac51d550505bc655263cacfedd2a (11) Restoring &session-state (11) &session-state:Framed-MTU = 1400 (11) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (11) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (11) # Executing section authorize from file /etc/freeradius/sites-enabled/default (11) authorize { (11) policy filter_username { (11) if (&User-Name) { (11) if (&User-Name) -> TRUE (11) if (&User-Name) { (11) if (&User-Name =~ / /) { (11) if (&User-Name =~ / /) -> FALSE (11) if (&User-Name =~ /@[^@]*@/ ) { (11) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (11) if (&User-Name =~ /\.\./ ) { (11) if (&User-Name =~ /\.\./ ) -> FALSE (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (11) if (&User-Name =~ /\.$/) { (11) if (&User-Name =~ /\.$/) -> FALSE (11) if (&User-Name =~ /@\./) { (11) if (&User-Name =~ /@\./) -> FALSE (11) } # if (&User-Name) = notfound (11) } # policy filter_username = notfound (11) [preprocess] = ok (11) [digest] = noop (11) suffix: Checking for suffix after "@" (11) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (11) suffix: No such realm "NULL" (11) [suffix] = noop (11) eap: Peer sent EAP Response (code 2) ID 30 length 6 (11) eap: No EAP Start, assuming it's an on-going EAP conversation (11) [eap] = updated (11) [files] = noop (11) [expiration] = noop (11) [logintime] = noop (11) } # authorize = updated (11) Found Auth-Type = eap (11) # Executing group from file /etc/freeradius/sites-enabled/default (11) authenticate { (11) eap: Removing EAP session with state 0x4373e489426de94b (11) eap: Previous EAP request found for state 0x4373e489426de94b, released from the list (11) eap: Peer sent packet with method EAP TLS (13) (11) eap: Calling submodule eap_tls to process data (11) eap_tls: (TLS) Peer ACKed our handshake fragment (11) eap: Sending EAP Request (code 1) ID 31 length 1406 (11) eap: EAP session adding &reply:State = 0x4373e489416ce94b (11) [eap] = handled (11) } # authenticate = handled (11) Using Post-Auth-Type Challenge (11) # Executing group from file /etc/freeradius/sites-enabled/default (11) Challenge { ... } # empty sub-section is ignored (11) session-state: Saving cached attributes (11) Framed-MTU = 1400 (11) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (11) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (11) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (11) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (11) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (11) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (11) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (11) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (11) Sent Access-Challenge Id 96 from 10.0.0.4:1812 to secret:33786 length 1474 (11) EAP-Message = 0x011f057e0dc000000bfe21ead2eae17e61cca74fc3ad10282ab008dfc01742a8475eda59ef77e5901821842ed78578cea6c0b1fe74c8ed8f503db3ce8a2bf202c1fb3b03af392f0bf65363a25ea256a415c814ec5ef000b7e7c599b5365422cad99953e3478b55234296f50e1e738ffcebc55fd9d44b7834a0663333937dcd50f432b90b765ff6d058b6418149235096ee543dcf64c13e788d80dd76f9df7ad9ead344190a2ac340804f796a539b31a974ab8006ecd897020a7eab2f53efb571120a7f72ea044a7317b3bf12eb5c28506dc86f5a5581d96c852b619d5ff5e5f45e68af55018c86691e0947ad9c4c6a9cfe8adbb85e681173a5b105e396016398e690c2f08e334e6ab6341c82d2442013b7708f20abdf3a8877d679c5aa48348d392ea6024307c76ca61e2b036ec853cb2b848ebb58c22f2807cf8f1c1a493477bd24fbc9b4594b0922fbb397d207b4c4392caa818ce6e697b38b9055533fa13ee428f6ed48ea092cc2ad71dfca573ce4e03b0cfb575a12 (11) Message-Authenticator = 0x00000000000000000000000000000000 (11) State = 0x4373e489416ce94be2b5e695e75f3b35 (11) Finished request Waking up in 4.9 seconds. (12) Received Access-Request Id 97 from secret:33786 to 10.0.0.4:1812 length 392 (12) User-Name = "host/1YHMMX3" (12) NAS-IP-Address = secret (12) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (12) NAS-Port-Type = Wireless-802.11 (12) Service-Type = Framed-User (12) NAS-Port = 1 (12) Calling-Station-Id = "D4-E9-8A-64-66-AD" (12) Connect-Info = "CONNECT 54.00 Mbps / 802.11ac / RSSI: 24 / Channel: 100" (12) Acct-Session-Id = "1A69A45514A77457" (12) Acct-Multi-Session-Id = "61CCB23C843CED83" (12) WLAN-Pairwise-Cipher = 1027076 (12) WLAN-Group-Cipher = 1027076 (12) WLAN-AKM-Suite = 1027073 (12) Meraki-Network-Name = "secret" (12) Meraki-Ap-Name = "secret" (12) Meraki-Ap-Tags = " secret " (12) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (12) Meraki-Device-Name = "secret" (12) Framed-MTU = 1400 (12) EAP-Message = 0x021f00060d00 (12) State = 0x4373e489416ce94be2b5e695e75f3b35 (12) Message-Authenticator = 0x14ee3a9fc1fb03b78bdc1761dce16e55 (12) Restoring &session-state (12) &session-state:Framed-MTU = 1400 (12) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (12) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (12) # Executing section authorize from file /etc/freeradius/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 31 length 6 (12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) [files] = noop (12) [expiration] = noop (12) [logintime] = noop (12) } # authorize = updated (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/sites-enabled/default (12) authenticate { (12) eap: Removing EAP session with state 0x4373e489416ce94b (12) eap: Previous EAP request found for state 0x4373e489416ce94b, released from the list (12) eap: Peer sent packet with method EAP TLS (13) (12) eap: Calling submodule eap_tls to process data (12) eap_tls: (TLS) Peer ACKed our handshake fragment (12) eap: Sending EAP Request (code 1) ID 32 length 288 (12) eap: EAP session adding &reply:State = 0x4373e4894053e94b (12) [eap] = handled (12) } # authenticate = handled (12) Using Post-Auth-Type Challenge (12) # Executing group from file /etc/freeradius/sites-enabled/default (12) Challenge { ... } # empty sub-section is ignored (12) session-state: Saving cached attributes (12) Framed-MTU = 1400 (12) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (12) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (12) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (12) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (12) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (12) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (12) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (12) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (12) Sent Access-Challenge Id 97 from 10.0.0.4:1812 to secret:33786 length 348 (12) EAP-Message = 0x012001200d8000000bfe194021f65f040a9864f1437b0ed64422b895c2f78f6a0957042f727ca223d8abded1f8337c590e017e5b434af48e4009b3bbac13d86b65d6b3de31e964bd49400351243b5592e2af8c2a42eff28efb2d929947a10998e2e509bf67bf3153e6c958dcb47cb1b844e75a96492a545852137190e3f6dccd09874608cc9fd9a824eaa9529ef2be30bf55f11ff5aa117291cd39323e530d591ebed2069d6aa11cc797dd67fc500a568a484e7c4e1d068c0015bb50b5aab7845f89178056050699e9a92872cc7935943bb7e416eda61703030045b7a5a5434cce6ba80c18ac62f4da672cefc077f59fe78eda43482db03273c562ce37ffe6093e220c865de7f3d4dc69109f265920e34f1715aee96bbfe61ab78f6200a90723 (12) Message-Authenticator = 0x00000000000000000000000000000000 (12) State = 0x4373e4894053e94be2b5e695e75f3b35 (12) Finished request Waking up in 4.8 seconds. (9) Cleaning up request packet ID 94 with timestamp +218 due to cleanup_delay was reached (10) Cleaning up request packet ID 95 with timestamp +218 due to cleanup_delay was reached (11) Cleaning up request packet ID 96 with timestamp +218 due to cleanup_delay was reached (12) Cleaning up request packet ID 97 with timestamp +218 due to cleanup_delay was reached Ready to process requests (13) Received Access-Request Id 17 from secret:44534 to 10.0.0.4:1812 length 383 (13) User-Name = "host/1YHMMX3" (13) NAS-IP-Address = secret (13) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (13) NAS-Port-Type = Wireless-802.11 (13) Service-Type = Framed-User (13) NAS-Port = 1 (13) Calling-Station-Id = "D4-E9-8A-64-66-AD" (13) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 37 / Channel: 11" (13) Acct-Session-Id = "82C6E9505A1A170B" (13) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (13) WLAN-Pairwise-Cipher = 1027076 (13) WLAN-Group-Cipher = 1027076 (13) WLAN-AKM-Suite = 1027073 (13) Meraki-Network-Name = "secret" (13) Meraki-Ap-Name = "secret" (13) Meraki-Ap-Tags = " secret " (13) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (13) Meraki-Device-Name = "secret" (13) Framed-MTU = 1400 (13) EAP-Message = 0x028a001101686f73742f3159484d4d5833 (13) Message-Authenticator = 0x115783637754e3fe42b8eb7746ee4c1a (13) # Executing section authorize from file /etc/freeradius/sites-enabled/default (13) authorize { (13) policy filter_username { (13) if (&User-Name) { (13) if (&User-Name) -> TRUE (13) if (&User-Name) { (13) if (&User-Name =~ / /) { (13) if (&User-Name =~ / /) -> FALSE (13) if (&User-Name =~ /@[^@]*@/ ) { (13) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (13) if (&User-Name =~ /\.\./ ) { (13) if (&User-Name =~ /\.\./ ) -> FALSE (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (13) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (13) if (&User-Name =~ /\.$/) { (13) if (&User-Name =~ /\.$/) -> FALSE (13) if (&User-Name =~ /@\./) { (13) if (&User-Name =~ /@\./) -> FALSE (13) } # if (&User-Name) = notfound (13) } # policy filter_username = notfound (13) [preprocess] = ok (13) [digest] = noop (13) suffix: Checking for suffix after "@" (13) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (13) suffix: No such realm "NULL" (13) [suffix] = noop (13) eap: Peer sent EAP Response (code 2) ID 138 length 17 (13) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (13) [eap] = ok (13) } # authorize = ok (13) Found Auth-Type = eap (13) # Executing group from file /etc/freeradius/sites-enabled/default (13) authenticate { (13) eap: Peer sent packet with method EAP Identity (1) (13) eap: Calling submodule eap_tls to process data (13) eap_tls: (TLS) TLS -Initiating new session (13) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client (13) eap: Sending EAP Request (code 1) ID 139 length 10 (13) eap: EAP session adding &reply:State = 0x17bfec171734e18d (13) [eap] = handled (13) } # authenticate = handled (13) Using Post-Auth-Type Challenge (13) # Executing group from file /etc/freeradius/sites-enabled/default (13) Challenge { ... } # empty sub-section is ignored (13) session-state: Saving cached attributes (13) Framed-MTU = 1400 (13) Sent Access-Challenge Id 17 from 10.0.0.4:1812 to secret:44534 length 68 (13) EAP-Message = 0x018b000a0da000000000 (13) Message-Authenticator = 0x00000000000000000000000000000000 (13) State = 0x17bfec171734e18dea1aee57ef94a17d (13) Finished request Waking up in 4.9 seconds. (14) Received Access-Request Id 18 from secret:44534 to 10.0.0.4:1812 length 647 (14) User-Name = "host/1YHMMX3" (14) NAS-IP-Address = secret (14) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (14) NAS-Port-Type = Wireless-802.11 (14) Service-Type = Framed-User (14) NAS-Port = 1 (14) Calling-Station-Id = "D4-E9-8A-64-66-AD" (14) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 36 / Channel: 11" (14) Acct-Session-Id = "82C6E9505A1A170B" (14) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Meraki-Network-Name = "secret" (14) Meraki-Ap-Name = "secret" (14) Meraki-Ap-Tags = " secret " (14) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (14) Meraki-Device-Name = "secret" (14) Framed-MTU = 1400 (14) EAP-Message = 0x028b01050d80000000fb16030100f6010000f2030311fda476c2b1125a02935603ea838388adaba181b145ca111f95bcf945df44d92076fdc5a5044c2b7480acb3030a6f1df6e28396b6314fad5415f13dc3f3e89ab2002813021301c02cc02bc030c02fc024c023c028c027c00ac009c014c013009d009c003d003c0035002f01000081000500050100000000002b0009080304030303020301000d001a001808040805080604010501020104030503020302020601060300230000000a00080006001d00170018003300260024001d00202512cc91cc1c7895ef9038ff7fe927bb65b07f2a9843542abffd7fde1d8af5070031000000170000ff01000100002d00020101 (14) State = 0x17bfec171734e18dea1aee57ef94a17d (14) Message-Authenticator = 0xe2fc58955492040f14032f3764191d2b (14) Restoring &session-state (14) &session-state:Framed-MTU = 1400 (14) # Executing section authorize from file /etc/freeradius/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 139 length 261 (14) eap: No EAP Start, assuming it's an on-going EAP conversation (14) [eap] = updated (14) [files] = noop (14) [expiration] = noop (14) [logintime] = noop (14) } # authorize = updated (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) authenticate { (14) eap: Removing EAP session with state 0x17bfec171734e18d (14) eap: Previous EAP request found for state 0x17bfec171734e18d, released from the list (14) eap: Peer sent packet with method EAP TLS (13) (14) eap: Calling submodule eap_tls to process data (14) eap_tls: (TLS) EAP Peer says that the final record size will be 251 bytes (14) eap_tls: (TLS) EAP Got all data (251 bytes) (14) eap_tls: (TLS) TLS - Handshake state - before SSL initialization (14) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (14) eap_tls: (TLS) TLS - Handshake state - Server before SSL initialization (14) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (14) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client hello (14) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, ServerHello (14) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server hello (14) eap_tls: (TLS) TLS - send TLS 1.3 ChangeCipherSpec (14) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write change cipher spec (14) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions (14) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 write encrypted extensions (14) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, CertificateRequest (14) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate request (14) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, Certificate (14) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write certificate (14) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, CertificateVerify (14) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 write server certificate verify (14) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, Finished (14) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write finished (14) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 early data (14) eap_tls: (TLS) TLS - Server : Need to read more data: TLSv1.3 early data (14) eap_tls: (TLS) TLS - In Handshake Phase (14) eap: Sending EAP Request (code 1) ID 140 length 1406 (14) eap: EAP session adding &reply:State = 0x17bfec171633e18d (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) session-state: Saving cached attributes (14) Framed-MTU = 1400 (14) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (14) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (14) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (14) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (14) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (14) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (14) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (14) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (14) Sent Access-Challenge Id 18 from 10.0.0.4:1812 to secret:44534 length 1474 (14) EAP-Message = 0x018c057e0dc000000bfe160303007a020000760303aefeeb2da06a5d8cf1b3e1b3494523bd0f84c8be57c647720ac838f920eb718b2076fdc5a5044c2b7480acb3030a6f1df6e28396b6314fad5415f13dc3f3e89ab2130200002e002b0002030400330024001d0020cbb93813fb223b886a1fceedd1c91cb66ce1eed8d474cbca0a1df5de5ec7164514030300010117030300179932f649c5d011f30b188fa0b44caa751030ef7d8ba31d17030300892e68c557050075c9341bfdf6e73b9ff044400fd9d04272ab37ea6eedf6764b49cef75f31cb2345cf5fcd226437ff5c0e57b737247de7e2c54cc6bec3ed84359d6b347b2186ad9d30c41ccbe400c7ce5794474ef48fe6cb2ee866a7ae577680bbcbac46d1d63e3c7a474fa5495e91255c7d8e7ada59fb03c124f7cf12787e5a20d4a9a1fb6e5ce1f8c81703030962427e48b5619d05dd7723310996ba85d17b7f8b32de814518e80317c4997073c9f37198a6405ba738beb2484340e3a812572bed81eab0f6045b (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x17bfec171633e18dea1aee57ef94a17d (14) Finished request Waking up in 4.9 seconds. (15) Received Access-Request Id 19 from secret:44534 to 10.0.0.4:1812 length 390 (15) User-Name = "host/1YHMMX3" (15) NAS-IP-Address = secret (15) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (15) NAS-Port-Type = Wireless-802.11 (15) Service-Type = Framed-User (15) NAS-Port = 1 (15) Calling-Station-Id = "D4-E9-8A-64-66-AD" (15) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 37 / Channel: 11" (15) Acct-Session-Id = "82C6E9505A1A170B" (15) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (15) WLAN-Pairwise-Cipher = 1027076 (15) WLAN-Group-Cipher = 1027076 (15) WLAN-AKM-Suite = 1027073 (15) Meraki-Network-Name = "secret" (15) Meraki-Ap-Name = "secret" (15) Meraki-Ap-Tags = " secret " (15) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (15) Meraki-Device-Name = "secret" (15) Framed-MTU = 1400 (15) EAP-Message = 0x028c00060d00 (15) State = 0x17bfec171633e18dea1aee57ef94a17d (15) Message-Authenticator = 0x65821874a57e7d1d91f2367acf7be7fe (15) Restoring &session-state (15) &session-state:Framed-MTU = 1400 (15) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (15) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (15) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (15) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (15) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (15) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (15) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (15) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (15) # Executing section authorize from file /etc/freeradius/sites-enabled/default (15) authorize { (15) policy filter_username { (15) if (&User-Name) { (15) if (&User-Name) -> TRUE (15) if (&User-Name) { (15) if (&User-Name =~ / /) { (15) if (&User-Name =~ / /) -> FALSE (15) if (&User-Name =~ /@[^@]*@/ ) { (15) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (15) if (&User-Name =~ /\.\./ ) { (15) if (&User-Name =~ /\.\./ ) -> FALSE (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (15) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (15) if (&User-Name =~ /\.$/) { (15) if (&User-Name =~ /\.$/) -> FALSE (15) if (&User-Name =~ /@\./) { (15) if (&User-Name =~ /@\./) -> FALSE (15) } # if (&User-Name) = notfound (15) } # policy filter_username = notfound (15) [preprocess] = ok (15) [digest] = noop (15) suffix: Checking for suffix after "@" (15) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (15) suffix: No such realm "NULL" (15) [suffix] = noop (15) eap: Peer sent EAP Response (code 2) ID 140 length 6 (15) eap: No EAP Start, assuming it's an on-going EAP conversation (15) [eap] = updated (15) [files] = noop (15) [expiration] = noop (15) [logintime] = noop (15) } # authorize = updated (15) Found Auth-Type = eap (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) authenticate { (15) eap: Removing EAP session with state 0x17bfec171633e18d (15) eap: Previous EAP request found for state 0x17bfec171633e18d, released from the list (15) eap: Peer sent packet with method EAP TLS (13) (15) eap: Calling submodule eap_tls to process data (15) eap_tls: (TLS) Peer ACKed our handshake fragment (15) eap: Sending EAP Request (code 1) ID 141 length 1406 (15) eap: EAP session adding &reply:State = 0x17bfec171532e18d (15) [eap] = handled (15) } # authenticate = handled (15) Using Post-Auth-Type Challenge (15) # Executing group from file /etc/freeradius/sites-enabled/default (15) Challenge { ... } # empty sub-section is ignored (15) session-state: Saving cached attributes (15) Framed-MTU = 1400 (15) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (15) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (15) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (15) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (15) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (15) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (15) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (15) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (15) Sent Access-Challenge Id 19 from 10.0.0.4:1812 to secret:44534 length 1474 (15) EAP-Message = 0x018d057e0dc000000bfecc6e69f8d07964b94435aff2c4150da7d62bb3bac882aed5bb10519783f1167ae9e5221f1973feb232c48c641d7e7f5813ea9a5f5b3cdd9a122a3786a7dc0fec1f7838bb926dd08abe952970f4f76c1c748b650bf4b652e512794c324c727f65f004c1d409b299e8e322329c0996fe1ce42f35c935ad6ddec4294b3c9aa69b082a71174e2139d603ff5e8ac2b9049c23ac960e079a386bdf93358d0f008ef55f22a2ec0df08dcaa11a2fb8997a2b3d088c779c1ba39f345ea5b19e163bb84c8a1951b65c04fe8b91163e146178d399896cadbbdac52071765de9f06ca9a66e47a6d0736e970b392c02819641b8b28c8c86dcdb7fe73543e6ba7b385b8f5d5971ca6e272058a663ec0ae62b87f56319ec2eb2023fe5b8dd4d7666f10acc5171d44f9f5accb287bdd897e1480f4c985bf4f717be3a98d6ddd4a58b23624e5c525f1644567a3356f6e7fbdd6c7d8884da734343ac90b6a70872b7051c6be9cbe0b1aa27872be88006bb582c1fc309 (15) Message-Authenticator = 0x00000000000000000000000000000000 (15) State = 0x17bfec171532e18dea1aee57ef94a17d (15) Finished request Waking up in 4.8 seconds. (16) Received Access-Request Id 20 from secret:44534 to 10.0.0.4:1812 length 390 (16) User-Name = "host/1YHMMX3" (16) NAS-IP-Address = secret (16) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (16) NAS-Port-Type = Wireless-802.11 (16) Service-Type = Framed-User (16) NAS-Port = 1 (16) Calling-Station-Id = "D4-E9-8A-64-66-AD" (16) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 37 / Channel: 11" (16) Acct-Session-Id = "82C6E9505A1A170B" (16) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (16) WLAN-Pairwise-Cipher = 1027076 (16) WLAN-Group-Cipher = 1027076 (16) WLAN-AKM-Suite = 1027073 (16) Meraki-Network-Name = "secret" (16) Meraki-Ap-Name = "secret" (16) Meraki-Ap-Tags = " secret " (16) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (16) Meraki-Device-Name = "secret" (16) Framed-MTU = 1400 (16) EAP-Message = 0x028d00060d00 (16) State = 0x17bfec171532e18dea1aee57ef94a17d (16) Message-Authenticator = 0xbd606e4e5a0d517841c9ca79d2f8cda1 (16) Restoring &session-state (16) &session-state:Framed-MTU = 1400 (16) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (16) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (16) # Executing section authorize from file /etc/freeradius/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (&User-Name) { (16) if (&User-Name) -> TRUE (16) if (&User-Name) { (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@[^@]*@/ ) { (16) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # if (&User-Name) = notfound (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [digest] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 141 length 6 (16) eap: No EAP Start, assuming it's an on-going EAP conversation (16) [eap] = updated (16) [files] = noop (16) [expiration] = noop (16) [logintime] = noop (16) } # authorize = updated (16) Found Auth-Type = eap (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) authenticate { (16) eap: Removing EAP session with state 0x17bfec171532e18d (16) eap: Previous EAP request found for state 0x17bfec171532e18d, released from the list (16) eap: Peer sent packet with method EAP TLS (13) (16) eap: Calling submodule eap_tls to process data (16) eap_tls: (TLS) Peer ACKed our handshake fragment (16) eap: Sending EAP Request (code 1) ID 142 length 288 (16) eap: EAP session adding &reply:State = 0x17bfec171431e18d (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) Challenge { ... } # empty sub-section is ignored (16) session-state: Saving cached attributes (16) Framed-MTU = 1400 (16) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (16) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (16) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (16) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (16) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (16) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (16) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (16) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (16) Sent Access-Challenge Id 20 from 10.0.0.4:1812 to secret:44534 length 348 (16) EAP-Message = 0x018e01200d8000000bfe27d17faf8da235e7483192fbf5554dc6b957660b8a8cbdccfa249095c66432e5a7a8af54f2e894ac65d81180dc23f004df2d05241d623d633f3762fc243ce78cd1f3068c5fb9077e6828af09fceb5c0a283332ce8f1c917cef6e412d409d8af494caa10f9575f04e3e4bf17e53caf2d6622de62c6e225387e75524a32634d65b6e7363118ad33020371f148d292898923324c3968b6e8555324fa396da0e4744071b636650dce77cedd323a34bd10132a9b4005a3be0ee4109a92c3d6331195b15be108fbe7f532f0e444fc717030300452b63998f36ff671d79c42f3ff7ae559ed27c2d16bd0d80c5b91527e051037cbe64708ff789a38392192efcd82633ea8065565be1de53819972220d021fe3eec556af5a88f8 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x17bfec171431e18dea1aee57ef94a17d (16) Finished request Waking up in 4.8 seconds. (17) Received Access-Request Id 21 from secret:44534 to 10.0.0.4:1812 length 1886 (17) User-Name = "host/1YHMMX3" (17) NAS-IP-Address = secret (17) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (17) NAS-Port-Type = Wireless-802.11 (17) Service-Type = Framed-User (17) NAS-Port = 1 (17) Calling-Station-Id = "D4-E9-8A-64-66-AD" (17) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 34 / Channel: 11" (17) Acct-Session-Id = "82C6E9505A1A170B" (17) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (17) WLAN-Pairwise-Cipher = 1027076 (17) WLAN-Group-Cipher = 1027076 (17) WLAN-AKM-Suite = 1027073 (17) Meraki-Network-Name = "secret" (17) Meraki-Ap-Name = "secret" (17) Meraki-Ap-Tags = " secret " (17) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (17) Meraki-Device-Name = "secret" (17) Framed-MTU = 1400 (17) EAP-Message = 0x028e05d40dc00000073e1403030001011703030733053818828fcc530fd1d8014b079bf3248eb3c69f89e3fc0bd953402b110a3766c36a2b1c40e3cc33e5f95fc920b02d103285187b496e962ff09c0cf574c876a32810e27eca24495ad853fab42a308af9cec25c48c3e31f2625ea359672a12f7c2bf11c936b52d8835f07d4a5ec61c06439fde36fc052e2def248e24f28f5da868709002b5fa9428ff388e8478748d2c6d0ed2e4273e0237cd5be8118ce49232b340e7fbcf117094e72cfcd5175faa97fbf458a395fc77ab66b82dd430c7a28f2fe8e0e016192cc4326d6d3b5e5837533a85cf0781fd1647800dd36b6063065783d305add90c4c25e6e2f53d8e6d126f98df2017da1c21d0d1548100ab68b54b7d270252afcbefd5131df0675050d3eb6c4e2f7f8d69c36048495a9ee9b85ad7ee134f3c002a3eeb074abf8543bc9ecb6c581eecbf9d498651b9d7c5f65087ab4d99388ba918413e3e027924abcdc3074df4097dd05ba3352317c054b3cce1160bd36 (17) State = 0x17bfec171431e18dea1aee57ef94a17d (17) Message-Authenticator = 0x1f4049f7535751ad10164aa536dee632 (17) Restoring &session-state (17) &session-state:Framed-MTU = 1400 (17) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (17) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (17) # Executing section authorize from file /etc/freeradius/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (&User-Name) { (17) if (&User-Name) -> TRUE (17) if (&User-Name) { (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@[^@]*@/ ) { (17) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # if (&User-Name) = notfound (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [digest] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 142 length 1492 (17) eap: No EAP Start, assuming it's an on-going EAP conversation (17) [eap] = updated (17) [files] = noop (17) [expiration] = noop (17) [logintime] = noop (17) } # authorize = updated (17) Found Auth-Type = eap (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) authenticate { (17) eap: Removing EAP session with state 0x17bfec171431e18d (17) eap: Previous EAP request found for state 0x17bfec171431e18d, released from the list (17) eap: Peer sent packet with method EAP TLS (13) (17) eap: Calling submodule eap_tls to process data (17) eap_tls: (TLS) EAP Peer says that the final record size will be 1854 bytes (17) eap_tls: (TLS) EAP Expecting 2 fragments (17) eap_tls: (TLS) EAP Got first TLS fragment (1482 bytes). Peer says more fragments will follow (17) eap_tls: (TLS) EAP ACKing fragment, the peer should send more data. (17) eap: Sending EAP Request (code 1) ID 143 length 6 (17) eap: EAP session adding &reply:State = 0x17bfec171330e18d (17) [eap] = handled (17) } # authenticate = handled (17) Using Post-Auth-Type Challenge (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) Challenge { ... } # empty sub-section is ignored (17) session-state: Saving cached attributes (17) Framed-MTU = 1400 (17) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (17) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (17) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (17) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (17) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (17) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (17) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (17) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (17) Sent Access-Challenge Id 21 from 10.0.0.4:1812 to secret:44534 length 64 (17) EAP-Message = 0x018f00060d00 (17) Message-Authenticator = 0x00000000000000000000000000000000 (17) State = 0x17bfec171330e18dea1aee57ef94a17d (17) Finished request Waking up in 4.4 seconds. (18) Received Access-Request Id 22 from secret:44534 to 10.0.0.4:1812 length 764 (18) User-Name = "host/1YHMMX3" (18) NAS-IP-Address = secret (18) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (18) NAS-Port-Type = Wireless-802.11 (18) Service-Type = Framed-User (18) NAS-Port = 1 (18) Calling-Station-Id = "D4-E9-8A-64-66-AD" (18) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 35 / Channel: 11" (18) Acct-Session-Id = "82C6E9505A1A170B" (18) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (18) WLAN-Pairwise-Cipher = 1027076 (18) WLAN-Group-Cipher = 1027076 (18) WLAN-AKM-Suite = 1027073 (18) Meraki-Network-Name = "secret" (18) Meraki-Ap-Name = "secret" (18) Meraki-Ap-Tags = " secret " (18) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (18) Meraki-Device-Name = "secret" (18) Framed-MTU = 1400 (18) EAP-Message = 0x028f017a0d007dca2b47d7df204ff1e85144bed8b61f6cd3c3e3871b42fd02b2c8bbc5adb0fa772fbd68582c975193ec1c7ca052016e0d5489b922523bd4195c0314d7d554c1a6b7472385cdb6aaac1d945bf63aa4f74528df44141af9c22682d8f6defd49601f290a790a2b57a27d5993599e554e751231afd71449f59c1371dacea43821577e2b6d2c79e4d17b8abeeba0ad4ede95aa7adb50b69e287d4d38b79178a1abbbe3aa12c4c2d5e6faab9fbb1f19c18eaacedf0c9b8c35bbdd1b9f9ca72be67211b338498fc5c1cc8cafa69a1aa1aad13471089b0b36025f1c9f2f7f87200689246520d2f0e4624ae20e379e1c99c3d66410a7b130b89d615a277c110c177a52ef688f6ddae02b332fa1d508bda17aa517e90c7318f3828afe72cf83104ac920c06a9ee177853f7c0032ad88a4068a2cfce5bde98da2bd29243af989f0dc4852513a14a12e60d0d9b7f72fcce2d999fa510383de5b3756b48eadd30273d97ee89b9bafd237c88951e795236013349e28605e (18) State = 0x17bfec171330e18dea1aee57ef94a17d (18) Message-Authenticator = 0xcc869f9aa52e4b050fced77bb8e3b718 (18) Restoring &session-state (18) &session-state:Framed-MTU = 1400 (18) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (18) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (18) # Executing section authorize from file /etc/freeradius/sites-enabled/default (18) authorize { (18) policy filter_username { (18) if (&User-Name) { (18) if (&User-Name) -> TRUE (18) if (&User-Name) { (18) if (&User-Name =~ / /) { (18) if (&User-Name =~ / /) -> FALSE (18) if (&User-Name =~ /@[^@]*@/ ) { (18) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (18) if (&User-Name =~ /\.\./ ) { (18) if (&User-Name =~ /\.\./ ) -> FALSE (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (18) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (18) if (&User-Name =~ /\.$/) { (18) if (&User-Name =~ /\.$/) -> FALSE (18) if (&User-Name =~ /@\./) { (18) if (&User-Name =~ /@\./) -> FALSE (18) } # if (&User-Name) = notfound (18) } # policy filter_username = notfound (18) [preprocess] = ok (18) [digest] = noop (18) suffix: Checking for suffix after "@" (18) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (18) suffix: No such realm "NULL" (18) [suffix] = noop (18) eap: Peer sent EAP Response (code 2) ID 143 length 378 (18) eap: No EAP Start, assuming it's an on-going EAP conversation (18) [eap] = updated (18) [files] = noop (18) [expiration] = noop (18) [logintime] = noop (18) } # authorize = updated (18) Found Auth-Type = eap (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) authenticate { (18) eap: Removing EAP session with state 0x17bfec171330e18d (18) eap: Previous EAP request found for state 0x17bfec171330e18d, released from the list (18) eap: Peer sent packet with method EAP TLS (13) (18) eap: Calling submodule eap_tls to process data (18) eap_tls: (TLS) EAP Done initial handshake (18) eap_tls: (TLS) TLS - Handshake state - Server TLSv1.3 early data (18) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, Certificate (18) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain (18) eap_tls: TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566" (18) eap_tls: TLS-Cert-Expiration := "340723105705Z" (18) eap_tls: TLS-Cert-Valid-Since := "240723104705Z" (18) eap_tls: TLS-Cert-Subject := "/DC=com/DC=secret/CN=secret-CA" (18) eap_tls: TLS-Cert-Issuer := "/DC=com/DC=secret/CN=secret-CA" (18) eap_tls: TLS-Cert-Common-Name := "secret-CA" (18) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain (18) eap_tls: TLS-Client-Cert-Serial := "49000004f491f18cbe4b993f480000000004f4" (18) eap_tls: TLS-Client-Cert-Expiration := "260917152559Z" (18) eap_tls: TLS-Client-Cert-Valid-Since := "240917152559Z" (18) eap_tls: TLS-Client-Cert-Subject := "/CN=1YHMMX3" (18) eap_tls: TLS-Client-Cert-Issuer := "/DC=com/DC=secret/CN=secret-CA" (18) eap_tls: TLS-Client-Cert-Common-Name := "1YHMMX3" (18) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, E-mail Protection, Microsoft Encrypted File System" (18) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "CF:3E:92:64:E2:D3:D7:68:01:94:FD:52:09:37:18:DD:51:49:C1:83" (18) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:DB:E9:4E:6C:67:B9:24:1B:0E:CB:22:D7:A3:AA:86:65:F4:85:2F:6C\n" (18) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (18) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.4" (18) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.10.3.4" Certificate chain - 1 intermediate CA cert(s) untrusted To forbid these certificates see 'reject_unknown_intermediate_ca' (TLS) untrusted certificate with depth [0] subject name /CN=1YHMMX3 (18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read client certificate (18) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, CertificateVerify (18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read certificate verify (18) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, Finished (18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS read finished (18) eap_tls: (TLS) TLS - Handshake state - SSLv3/TLS write session ticket (18) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket (18) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write session ticket (18) eap_tls: (TLS) TLS - Connection Established (18) eap_tls: TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384" (18) eap_tls: TLS-Session-Version = "TLS 1.3" (18) eap_tls: (TLS) EAP Sending final Commitment Message. (18) eap_tls: (TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket (18) eap: Sending EAP Request (code 1) ID 144 length 112 (18) eap: EAP session adding &reply:State = 0x17bfec17122fe18d (18) [eap] = handled (18) } # authenticate = handled (18) Using Post-Auth-Type Challenge (18) # Executing group from file /etc/freeradius/sites-enabled/default (18) Challenge { ... } # empty sub-section is ignored (18) session-state: Saving cached attributes (18) Framed-MTU = 1400 (18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, Certificate" (18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, CertificateVerify" (18) TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, Finished" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket" (18) TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384" (18) TLS-Session-Version = "TLS 1.3" (18) TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket" (18) Sent Access-Challenge Id 22 from 10.0.0.4:1812 to secret:44534 length 170 (18) EAP-Message = 0x019000700d8000000066170303004a23cfe46ba1777b39109a34efd0e22cfdfbc5b393dbe2841232c1ae7c21da52deaed27ee45d7436d17a4b09476aa022dda6c5aa74553c22e5ea1def1b09d78bb4438dd61d3e2eebdaa3521703030012008f066d2a43ea5b57720f7d5ad205909ef4 (18) Message-Authenticator = 0x00000000000000000000000000000000 (18) State = 0x17bfec17122fe18dea1aee57ef94a17d (18) Finished request Waking up in 4.3 seconds. (19) Received Access-Request Id 23 from secret:44534 to 10.0.0.4:1812 length 390 (19) User-Name = "host/1YHMMX3" (19) NAS-IP-Address = secret (19) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (19) NAS-Port-Type = Wireless-802.11 (19) Service-Type = Framed-User (19) NAS-Port = 1 (19) Calling-Station-Id = "D4-E9-8A-64-66-AD" (19) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 37 / Channel: 11" (19) Acct-Session-Id = "82C6E9505A1A170B" (19) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (19) WLAN-Pairwise-Cipher = 1027076 (19) WLAN-Group-Cipher = 1027076 (19) WLAN-AKM-Suite = 1027073 (19) Meraki-Network-Name = "secret" (19) Meraki-Ap-Name = "secret" (19) Meraki-Ap-Tags = " secret " (19) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (19) Meraki-Device-Name = "secret" (19) Framed-MTU = 1400 (19) EAP-Message = 0x029000060d00 (19) State = 0x17bfec17122fe18dea1aee57ef94a17d (19) Message-Authenticator = 0xfc37430b133aa357cbff57b8966cd168 (19) Restoring &session-state (19) &session-state:Framed-MTU = 1400 (19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, ClientHello" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, ServerHello" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 ChangeCipherSpec" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Certificate" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, Finished" (19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, Certificate" (19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, CertificateVerify" (19) &session-state:TLS-Session-Information = "(TLS) TLS - recv TLS 1.3 Handshake, Finished" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket" (19) &session-state:TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384" (19) &session-state:TLS-Session-Version = "TLS 1.3" (19) &session-state:TLS-Session-Information = "(TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket" (19) # Executing section authorize from file /etc/freeradius/sites-enabled/default (19) authorize { (19) policy filter_username { (19) if (&User-Name) { (19) if (&User-Name) -> TRUE (19) if (&User-Name) { (19) if (&User-Name =~ / /) { (19) if (&User-Name =~ / /) -> FALSE (19) if (&User-Name =~ /@[^@]*@/ ) { (19) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (19) if (&User-Name =~ /\.\./ ) { (19) if (&User-Name =~ /\.\./ ) -> FALSE (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (19) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (19) if (&User-Name =~ /\.$/) { (19) if (&User-Name =~ /\.$/) -> FALSE (19) if (&User-Name =~ /@\./) { (19) if (&User-Name =~ /@\./) -> FALSE (19) } # if (&User-Name) = notfound (19) } # policy filter_username = notfound (19) [preprocess] = ok (19) [digest] = noop (19) suffix: Checking for suffix after "@" (19) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (19) suffix: No such realm "NULL" (19) [suffix] = noop (19) eap: Peer sent EAP Response (code 2) ID 144 length 6 (19) eap: No EAP Start, assuming it's an on-going EAP conversation (19) [eap] = updated (19) [files] = noop (19) [expiration] = noop (19) [logintime] = noop (19) } # authorize = updated (19) Found Auth-Type = eap (19) # Executing group from file /etc/freeradius/sites-enabled/default (19) authenticate { (19) eap: Removing EAP session with state 0x17bfec17122fe18d (19) eap: Previous EAP request found for state 0x17bfec17122fe18d, released from the list (19) eap: Peer sent packet with method EAP TLS (13) (19) eap: Calling submodule eap_tls to process data (19) eap_tls: (TLS) Peer ACKed our handshake fragment. handshake is finished (19) eap_tls: (TLS) cache - Setting up attributes for session resumption (19) eap_tls: caching EAP-Type = TLS (19) eap_tls: caching TLS-Cert-Serial := "6b92ee8fe3454c9b47b46b05a3e74566" (19) eap_tls: caching TLS-Cert-Expiration := "340723105705Z" (19) eap_tls: caching TLS-Cert-Valid-Since := "240723104705Z" (19) eap_tls: caching TLS-Cert-Subject := "/DC=com/DC=secret/CN=secret-CA" (19) eap_tls: caching TLS-Cert-Issuer := "/DC=com/DC=secret/CN=secret-CA" (19) eap_tls: caching TLS-Cert-Common-Name := "secret-CA" (19) eap_tls: caching TLS-Client-Cert-Serial := "49000004f491f18cbe4b993f480000000004f4" (19) eap_tls: caching TLS-Client-Cert-Expiration := "260917152559Z" (19) eap_tls: caching TLS-Client-Cert-Valid-Since := "240917152559Z" (19) eap_tls: caching TLS-Client-Cert-Subject := "/CN=1YHMMX3" (19) eap_tls: caching TLS-Client-Cert-Issuer := "/DC=com/DC=secret/CN=secret-CA" (19) eap_tls: caching TLS-Client-Cert-Common-Name := "1YHMMX3" (19) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, E-mail Protection, Microsoft Encrypted File System" (19) eap_tls: caching TLS-Client-Cert-X509v3-Subject-Key-Identifier += "CF:3E:92:64:E2:D3:D7:68:01:94:FD:52:09:37:18:DD:51:49:C1:83" (19) eap_tls: caching TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:DB:E9:4E:6C:67:B9:24:1B:0E:CB:22:D7:A3:AA:86:65:F4:85:2F:6C\n" (19) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (19) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.4" (19) eap_tls: caching TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.10.3.4" (19) eap_tls: Failed to find 'persist_dir' in TLS configuration. Session will not be cached on disk. (19) eap: Sending EAP Success (code 3) ID 144 length 4 (19) eap: Freeing handler (19) [eap] = ok (19) } # authenticate = ok (19) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (19) post-auth { (19) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { (19) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE (19) update { (19) &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1400 (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3 Handshake, ClientHello' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, ServerHello' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 ChangeCipherSpec' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, EncryptedExtensions' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, CertificateRequest' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, Certificate' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, CertificateVerify' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, Finished' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3 Handshake, Certificate' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3 Handshake, CertificateVerify' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - recv TLS 1.3 Handshake, Finished' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket' (19) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'TLS_AES_256_GCM_SHA384' (19) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.3' (19) &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) TLS - send TLS 1.3 Handshake, NewSessionTicket' (19) } # update = noop (19) [exec] = noop (19) policy remove_reply_message_if_eap { (19) if (&reply:EAP-Message && &reply:Reply-Message) { (19) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (19) else { (19) [noop] = noop (19) } # else = noop (19) } # policy remove_reply_message_if_eap = noop (19) if (EAP-Key-Name && &reply:EAP-Session-Id) { (19) if (EAP-Key-Name && &reply:EAP-Session-Id) -> FALSE (19) } # post-auth = noop (19) Login OK: [host/1YHMMX3] (from client AP-Meraki port 1 cli D4-E9-8A-64-66-AD) (19) Sent Access-Accept Id 23 from 10.0.0.4:1812 to secret:44534 length 180 (19) MS-MPPE-Recv-Key = 0x48e8db1008b690d21e3c0755f9bd6082b00a2aafeded232f814a1dcbb60321a2 (19) MS-MPPE-Send-Key = 0xedf4acf849e34fb16e8f79ad801510c405c18bc135e648e8ad1aaeb942143f28 (19) EAP-Message = 0x03900004 (19) Message-Authenticator = 0x00000000000000000000000000000000 (19) User-Name = "host/1YHMMX3" (19) Framed-MTU += 1400 (19) Finished request Waking up in 4.3 seconds. (20) Received Accounting-Request Id 24 from secret:50158 to 10.0.0.4:1813 length 290 (20) Acct-Status-Type = Start (20) Acct-Authentic = RADIUS (20) User-Name = "host/1YHMMX3" (20) NAS-IP-Address = secret (20) NAS-Identifier = "E4-55-A8-06-A9-3E:vap0" (20) NAS-Port-Type = Wireless-802.11 (20) Service-Type = Framed-User (20) NAS-Port = 1 (20) Calling-Station-Id = "D4-E9-8A-64-66-AD" (20) Connect-Info = "CONNECT 54.00 Mbps / 802.11n / RSSI: 38 / Channel: 11" (20) Acct-Session-Id = "82C6E9505A1A170B" (20) Acct-Multi-Session-Id = "D1735CC8AF307E3C" (20) WLAN-Pairwise-Cipher = 1027076 (20) WLAN-Group-Cipher = 1027076 (20) WLAN-AKM-Suite = 1027073 (20) Called-Station-Id = "E4-55-A8-06-A9-3E:secret" (20) Meraki-Device-Name = "secret" (20) Framed-IP-Address = 10.69.20.69 (20) Event-Timestamp = "Sep 17 2024 18:35:26 CEST" (20) Acct-Delay-Time = 0 (20) # Executing section preacct from file /etc/freeradius/sites-enabled/default (20) preacct { (20) [preprocess] = ok (20) policy acct_unique { (20) update request { (20) &Tmp-String-9 := "ai:" (20) } # update request = noop (20) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) { (20) EXPAND %{hex:&Class} (20) --> (20) EXPAND ^%{hex:&Tmp-String-9} (20) --> ^61693a (20) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE (20) else { (20) update request { (20) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}} (20) --> 4a596a96ca6c6775b2b88de4e2353cee (20) &Acct-Unique-Session-Id := 4a596a96ca6c6775b2b88de4e2353cee (20) } # update request = noop (20) } # else = noop (20) update request { (20) &Tmp-String-9 !* ANY (20) } # update request = noop (20) } # policy acct_unique = noop (20) suffix: Checking for suffix after "@" (20) suffix: No '@' in User-Name = "host/1YHMMX3", looking up realm NULL (20) suffix: No such realm "NULL" (20) [suffix] = noop (20) [files] = noop (20) } # preacct = ok (20) # Executing section accounting from file /etc/freeradius/sites-enabled/default (20) accounting { (20) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d (20) detail: --> /var/log/freeradius/radacct/secret/detail-20240917 (20) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/secret/detail-20240917 (20) detail: EXPAND %t (20) detail: --> Tue Sep 17 18:35:26 2024 (20) [detail] = ok (20) [unix] = ok (20) [exec] = noop (20) attr_filter.accounting_response: EXPAND %{User-Name} (20) attr_filter.accounting_response: --> host/1YHMMX3 (20) attr_filter.accounting_response: Matched entry DEFAULT at line 12 (20) [attr_filter.accounting_response] = updated (20) } # accounting = updated (20) Sent Accounting-Response Id 24 from 10.0.0.4:1813 to secret:50158 length 20 (20) Finished request (20) Cleaning up request packet ID 24 with timestamp +238 due to done Waking up in 4.2 seconds. (13) Cleaning up request packet ID 17 with timestamp +237 due to cleanup_delay was reached (14) Cleaning up request packet ID 18 with timestamp +237 due to cleanup_delay was reached (15) Cleaning up request packet ID 19 with timestamp +237 due to cleanup_delay was reached (16) Cleaning up request packet ID 20 with timestamp +237 due to cleanup_delay was reached Waking up in 0.4 seconds. (17) Cleaning up request packet ID 21 with timestamp +238 due to cleanup_delay was reached (18) Cleaning up request packet ID 22 with timestamp +238 due to cleanup_delay was reached (19) Cleaning up request packet ID 23 with timestamp +238 due to cleanup_delay was reached Ready to process requests ```